Sidecar not generating collector yml files

conyerbd · June 10, 2019, 4:54pm

Newbie here following the step-by-step guide for 3.0 configuration. Everything has installed smoothly to this point.

Graylog is running on a Debian 9 VM
Sidecar is being installed on the windows 10 workstation that is hosting the VM. This is for testing/learning.

I have created an input and the sidecar is visible as well within Graylog. However, the collector status says “There are no collectors configured in this sidecar”.

From my understanding, when setting up the sidecar in Windows the “generated” folder should be populated with filebeat and winlogbeat yml files. This is not happening and so the Graylog server isn’t able to manage the collectors.

The only changes I have made that deviate from the tutorial are that I have set tls_skip_verify to true since I am not running this yet.

A few points of confusion in the step by step guide. when creating the beats input it says “start a global Beats input…” however the image shows the global box unchecked.

A few steps later when navigating to the configuration page the image shows four Log Collectors already visible. This is where my setup deviates and shows nothing under Log Collectors.

I’m not sure where the disconnect is between the workstation and the server considering some things are visible. Research online suggests that the issue has to do with tags, however these seems to have gone to the wayside in 3.0.

Any suggestions? Thanks!

conyerbd · June 10, 2019, 7:06pm

This was solved… sort of.

A colleague replicated my installation on ubuntu instead of debian (not sure if that matters) and was shown the default collector configurations in his installation. I copied the settings into my installation and restarted everything and it all worked.

For anyone else that ends up here these were the default settings:

Name

winlogbeat

Process management

Windows service

Operating System

Windows

Executable Path

C:\Program Files\Graylog\sidecar\winlogbeat.exe

Execute Parameters (Optional)

-c “%s”

Parameters for Configuration Validation (Optional)

test config -c “%s”

Default Template

fields_under_root: true

fields.collector_node_id: ${sidecar.nodeName}

fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:

hosts: [“192.168.94.37:5044”]

path:

data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data

logs: C:\Program Files\Graylog\sidecar\logs

tags:

windows

winlogbeat:

event_logs:

name: Application
name: System
name: Security

jan · June 12, 2019, 1:15pm

did you see the Sidecar in the Graylog UI?
did you create a configuration for your collector?
did you assign the configuration to the sidecar?

conyerbd · June 12, 2019, 1:53pm

Hi Jan,

Yes, I could see the sidecar in the UI.

I wasn’t able to create a configuration because it asks for a collector in the drop down. Since there were no default collectors I wasn’t able to complete the configuration.

Once I manually created a winlogbeat collector from looking at a colleagues computer I was able to add the configuration and start receiving logs.

system · June 26, 2019, 1:53pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting stated with filebeat Graylog Central (peer support) sidecar	1	1989	August 17, 2017
Windows events to graylog server Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	3	4761	December 27, 2018
No Collectors or sidecar devices are showing Graylog Central (peer support)	22	854	September 6, 2022
No Collectors to display Graylog Central (peer support) sidecar , nxlog , filebeat-windows , winlogbeat , nodatanx	24	6030	July 11, 2019
Sidecar confusion Graylog Central (peer support) sidecar , nxlog , multi-linenx	2	1740	December 6, 2017